Depending on whether someone is signed in or out, YouTube pages can be loaded over a secure or insecure connection. Secure connections are achieved with SSL. To avoid warning messages in the viewer’s browser, we require that ads, creatives, and tracking elements are requested using an appropriate connection:
- For non-secure pages (HTTP://), the ad, creative, and tracking pixels can use either HTTP or HTTPS.
- For secure pages (HTTPS://), the ad, creative, and tracking pixels must only use HTTPS. Also, for ads and creatives loaded with HTTPS://, all subsequent requests to media assets or tracking URLs must also use HTTPS://. All creatives must be able to deliver over HTTP and HTTPS without the need for special trafficking. If tracking pixel URLs are given, they must be SSL-compliant (begin with HTTPS://). The only part of an ad permitted to be non-SSL compliant is the click URL (target landing page).
3rd party served display ads
Some vendors autocorrect their creative to be SSL-compliant. For these vendors, there’s little change needed for your creative to be SSL-compliant. A list of vendors and their capabilities is available here.
VAST tracking pixels
For the tracking of VAST ads such as inStream and inVideo, we’ll request any insecure URLs via a secure connection. We’ll achieve this by swapping out HTTP:// with HTTPS:// before requesting the URL. If your tracking vendor can’t support this functionality, the tracking URL supplied must be SSL-compliant (start with HTTPS://). A list of vendors and their capabilities is available here.
3rd party served VAST ads
All 3rd party VAST ads must be SSL-compliant. Any URL within a VAST response must use the appropriate connection.
- For non-secure pages (HTTP://), the creative and tracking pixels can use either HTTP or HTTPS.
- For secure pages (HTTPS://), the creative and tracking pixels must only use HTTPS. Sometimes, your vendor won’t autocorrect the ad response to the right protocol or won’t swap HTTP:// for HTTPS://. In these cases, all media and tracking URLs in the VAST ad must use HTTPS:// by default.